← volver
CVE-2025-41702

egOS WebGUI Hard-Coded JWT Secret Enables Authentication Bypass

CVSS 9.8 CRITICALEPSS 0.5%CWE-321
The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Productos afectados
Welotec · EG400Mk2-D11001-000101Welotec · EG400Mk2-D11101-000101Welotec · EG500Mk2-A11001-000101Welotec · EG500Mk2-A11001-000201Welotec · EG500Mk2-A11101-000101Welotec · EG500Mk2-A12011-000101Welotec · EG500Mk2-A21101-000101Welotec · EG500Mk2-B11001-000101Welotec · EG500Mk2-B11101-000101Welotec · EG500Mk2-C11001-000101Welotec · EG500Mk2-C11101-000101Welotec · EG503LWelotec · EG503L_4GBWelotec · EG503L-GWelotec · EG503WWelotec · EG503W_4GBWelotec · EG602LWelotec · EG602WWelotec · EG603L Mk2Welotec · EG603W Mk2Welotec · EG802WWelotec · EG802W_i7_512GB_DinRailWelotec · EG802W_i7_512GB_w/o DinRailWelotec · EG804WWelotec · EG804W Pro

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://certvde.com/de/advisories/VDE-2025-076